Re: kern/60191: npf: map dynamic to localhost works for v4 but not for v6

To: gnats-bugs%NetBSD.org@localhost, netbsd-bugs%NetBSD.org@localhost
Subject: Re: kern/60191: npf: map dynamic to localhost works for v4 but not for v6
From: Taylor R Campbell <riastradh%NetBSD.org@localhost>
Date: Wed, 29 Apr 2026 00:16:24 +0000

Traffic _from the local host_ to its own public addresses is also
troublesome.

With the rules above, _remote hosts_ can do, e.g.,

	ftp -4 http://example.com/robots.txt

and it works fine, while

	ftp -6 http://example.com/robots.txt

does not (packets arrive at $primary_if but go nowhere), where
example.com has those npf rules -- that's the original issue.

I can work around this by changing the v6 rule to

	map $primary_if dynamic proto tcp $primary_addrs port 8000 \
	    <- $primary_v6 port 80

at the cost of inadvertently exposing public access via port 8000 too
(not a big deal but kind of sloppy).

On the _local host_ (i.e., on example.com),

	ftp -4 http://example.com/robots.txt

gives connection refused, via TCP RST that shows up on lo0 with
tcpdump, and leads to no output in `npfctl list -n'.  I can make this
work by adding:

	map lo0 dynamic proto tcp 127.0.0.1 port 8000 \
	    <- $primary_v4 port 80

If the v4 address is 192.0.2.123, then with this additional map rule,
`npfctl list -n' shows (after running ftp -4):

# src-addr:port       dst-addr:port         interface  nat-addr:port
192.0.2.123:65519     192.0.2.123:80        lo0        127.0.0.1:8000

But I can't find how to make

	ftp -6 http://example.com/robots.txt

work _on the local host_ (i.e., on example.com).

I tried various combinations of map lo0 and map $primary_if with
sources and destinations of $primary_v6, $primary_addrs, and
hard-coded explicit addresses -- couldn't find anything that worked;
everything I tried went nowhere with zero output from tcpdump on
either lo0 or $primary_if.

If the v6 addresses are 2001:db8::123 and fe80::123, and $primary_if
is xennet0, I've gotten `npfctl list -n' to show alternately

# src-addr:port       dst-addr:port         interface  nat-addr:port
[2001:db8::123]:65478 [2001:db8::123]:80    xennet0    [fe80::123]:8000

or

# src-addr:port       dst-addr:port         interface  nat-addr:port
[2001:db8::123]:65478 [2001:db8::123]:80    xennet0    [2001:db8::123]:8000

(but I was flailing around a lot and don't remember exactly which set
of options led to which output).  Note that in all my attempts, it
showed xennet0 ($primary_if), never lo0!  Perhaps that is a clue that
will lead to the source of the problem: v4 is getting mapped through
lo0, but v6 is getting mapped through $primary_if instead.

Prev by Date: Re: lib/60215: ld.elf_so dlerror() state is not thread-local
Next by Date: Re: kern/60191: npf: map dynamic to localhost works for v4 but not for v6
Previous by Thread: kern/60191: npf: map dynamic to localhost works for v4 but not for v6
Next by Thread: Re: kern/60191: npf: map dynamic to localhost works for v4 but not for v6
Indexes:

Home | Main Index | Thread Index | Old Index